Archive for September 19th, 2013

There are various reasons why targeted attacks can happen to almost any company. One of the biggest reasons is theft of a company’s proprietary information. There are many types of confidential data that could be valuable. Intellectual property is often the first thing that comes to mind. There are also other, less obvious items of value that can be acquired: for example financial information, employee and customer personal information, information related to pending sales, financial deals, and legal actions. However, companies can also be targeted for reasons having nothing to do with their products or information.

Targeted Attacks Serve as Launch Pads

Attackers may target a company so that they may use the newly compromised infrastructure as a launching ground for attacks against other organizations. In certain cases, the attackers may want to use the victim’s e-mail accounts to gain some legitimacy in a spear-phishing campaign.

Another reason for targeting may be who the company’s networks are connected to. A small vendor may supply parts to a larger integrator and this may require them to have access to the integrator’s networks. It may be easier and/or stealthier for the attacker to come in through the vendor’s network rather than try and gain a foothold in the integrator’s networks.

Additionally, a company may be targeted for the sole purpose of being used as a stepping stone or hop point to help obscure the path between the attacker and his target.

What Can Be Done to Deal with Targeted Attacks?

Unfortunately, time and the odds are on the side of the attacker. No matter how good a company’s defenses are, it takes just one configuration mistake or a single user to open a malicious file or visit an infected watering hole for the company to become infected. Once an attacker is inside a network, the goal must be to detect and contain them as quickly as possible. At that point, a full forensic investigation can be conducted to see where the attackers have been and what damage they have done.

So, is there anything that companies can do to deal with targeted attacks? The answer, is yes.

This process can be very time consuming, but there are two areas a company can address ahead of time to help minimize the damage, as well as make the investigation as quick and successful as possible. The first area involves changes to infrastructure –proper logging policies, network segmentation, tightening user security policies, and protecting critical data. The second area involves personnel. Companies should have their own threat intelligence group as well as a forensic team that is already trained and operational.

To help improve security posture, penetration testing can be a great help to companies. There is a lot to be learned from these tests, regardless whether they are required or not. At the very least, network testing should be done, but if possible allow social-engineering and physical security tests as well. Once completed, the penetration testing can be used as a training tool for the forensic team and provide lessons learned to the company regarding overall security issues.

Security as an Investment

There is a cost associated with these preparations, but they will be dwarfed by the cost of a single extensive targeted attack investigation. In addition to the actual amount to run the investigation, there are the harder to characterize costs including possible loss of contracts, investor confidence, or lawsuits. It is simply too expensive for companies to ignore the risks of being the victim of a targeted attack.